Hello all,
I putted my issuer certificate under Manage Certificates, but when I connect my OPCServer I get the error
BadCertificateRevocationUnknown unable to get certificate CRL
in the Certificate Validation. If I accept the certificate temporarily all works fine.
Issuer of the server certificate seems to fit.
Anybody any idea?
Thanks and Regards, Peter
BadCertificateRevocationUnknown unable to get certificat CRL
Moderator: uaexpert
-
Peter Eser
- Full Member
- Posts: 8
- Joined: 22 Oct 2015, 13:00
-
Peter Eser
- Full Member
- Posts: 8
- Joined: 22 Oct 2015, 13:00
Re: BadCertificateRevocationUnknown unable to get certificat
... I even cannot connect with the java SampleServer via https-uabinary.
Error is "unable to get local issuer certificate" in the trace:
12:11:14.121 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: Could not obtain information about used cipher!
12:11:14.121 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: Could not retrieve peer certificate!
12:11:14.121 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: SSL certificate verification result 20 -> "unable to get local issuer certificate"!
12:11:14.121 | General | | [uastack] OpcUa_Socket_ProcessSslError: SSL error code is SSL_ERROR_SSL; mapped to status code 0x80130000
12:11:14.121 | General | | [uastack]
verify error:
num=20:unable to get local issuer certificate
depth=0
/CN=EDV-W014
12:11:14.121 | Server Node | SampleConsoleServer - None ... | Connecting failed with error 'BadCommunicationError'
12:11:14.106 | General | | [uastack] OpcUa_HttpsStream_Read: End of Stream reached! Buffer 0 of 0!
12:11:14.106 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: SSL certificate verification result 21 -> "unable to verify the first certificate"!
12:11:14.106 | Server Node | SampleConsoleServer - None ... | ApplicationUri: 'urn:EDV-W014:OPCUA:SampleConsoleServer'
12:11:14.106 | Server Node | SampleConsoleServer - None ... | Found security policy 'http://opcfoundation.org/UA/SecurityPolicy#None'
12:11:14.106 | Server Node | SampleConsoleServer - None ... | Found endpoint 'https://EDV-W014:52443/OPCUA/SampleConsoleServer'
12:11:14.075 | General | | [uastack]
verify error:
num=21:unable to verify the first certificate
depth=0
/CN=EDV-W014
12:11:14.075 | General | | [uastack]
verify error:
num=27:certificate not trusted
depth=0
/CN=EDV-W014
12:11:14.075 | General | | [uastack]
verify error:
num=20:unable to get local issuer certificate
depth=0
/CN=EDV-W014
If know I have to install the CA under TSL issuers, but that seems not to help.
Any help appreciated.
Peter
Error is "unable to get local issuer certificate" in the trace:
12:11:14.121 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: Could not obtain information about used cipher!
12:11:14.121 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: Could not retrieve peer certificate!
12:11:14.121 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: SSL certificate verification result 20 -> "unable to get local issuer certificate"!
12:11:14.121 | General | | [uastack] OpcUa_Socket_ProcessSslError: SSL error code is SSL_ERROR_SSL; mapped to status code 0x80130000
12:11:14.121 | General | | [uastack]
verify error:
num=20:unable to get local issuer certificate
depth=0
/CN=EDV-W014
12:11:14.121 | Server Node | SampleConsoleServer - None ... | Connecting failed with error 'BadCommunicationError'
12:11:14.106 | General | | [uastack] OpcUa_HttpsStream_Read: End of Stream reached! Buffer 0 of 0!
12:11:14.106 | General | | [uastack] OpcUa_Socket_FinalizeSslConnect: SSL certificate verification result 21 -> "unable to verify the first certificate"!
12:11:14.106 | Server Node | SampleConsoleServer - None ... | ApplicationUri: 'urn:EDV-W014:OPCUA:SampleConsoleServer'
12:11:14.106 | Server Node | SampleConsoleServer - None ... | Found security policy 'http://opcfoundation.org/UA/SecurityPolicy#None'
12:11:14.106 | Server Node | SampleConsoleServer - None ... | Found endpoint 'https://EDV-W014:52443/OPCUA/SampleConsoleServer'
12:11:14.075 | General | | [uastack]
verify error:
num=21:unable to verify the first certificate
depth=0
/CN=EDV-W014
12:11:14.075 | General | | [uastack]
verify error:
num=27:certificate not trusted
depth=0
/CN=EDV-W014
12:11:14.075 | General | | [uastack]
verify error:
num=20:unable to get local issuer certificate
depth=0
/CN=EDV-W014
If know I have to install the CA under TSL issuers, but that seems not to help.
Any help appreciated.
Peter
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: BadCertificateRevocationUnknown unable to get certificat
Hello,
UaExpert's certificate validation logic requires every CA (Certificate Authority) to have a valid matching CRL (Certificate Revocation List) inside the appropriate crl folder. If the CRL cannot be found, the error BadCertificateRevocationUnknown or BadCertificateIssuerRevocationUnknown is thrown. The next version of UaExpert will allow overriding this and some other certificate validation errors.
HTTPS support is still experimental in our products, so interoperability problems may occur. We will investigate this issue.
Best regards
Support Team
UaExpert's certificate validation logic requires every CA (Certificate Authority) to have a valid matching CRL (Certificate Revocation List) inside the appropriate crl folder. If the CRL cannot be found, the error BadCertificateRevocationUnknown or BadCertificateIssuerRevocationUnknown is thrown. The next version of UaExpert will allow overriding this and some other certificate validation errors.
HTTPS support is still experimental in our products, so interoperability problems may occur. We will investigate this issue.
Best regards
Support Team
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: BadCertificateRevocationUnknown unable to get certificat
For validating HTTPS certificates, we use OpenSSL's builtin certificate validation facility. This makes is necessary to put certificates into the issuers list using a certain format.
When connecting to the JAVA server, UaExpert asks if the server's HTTPS certificate should be trusted. This is not sufficient, as OpenSSL requires that the CA certificate is being trusted. To achieve this, please use following steps to trust the CA certificate:
1. Open a command prompt or bash where the openssl executable is available (e.g. GIT bash)
2. Navigate to the folder containing the CA certificate, usually '\samples\PKI\CA\private\' inside the JAVA SDK
3. Execute following command to get the subject hash value of the certificate, e.g. '55911d8a':
> openssl x509 -in ProsysSampleCA.der -inform DER -hash
4. Execute following command after replacing <HASH_VALUE> with the value from 3.
> openssl x509 -in ProsysSampleCA.der -inform DER -outform PEM -out <HASH_VALUE>.0
5. You should now have a file named <HASH_VALUE>.0 (e.g. 55911d8a.0), copy that to the 'tls_issuers\certs' folder of your UaExpert PKI store (usually C:\Users\<USERNAME>\AppData\Roaming\unifiedautomation\uaexpert\PKI\tls_issuers\certs)
Now the CA certificate of the JAVA server is trusted and connecting will work.
When connecting to the JAVA server, UaExpert asks if the server's HTTPS certificate should be trusted. This is not sufficient, as OpenSSL requires that the CA certificate is being trusted. To achieve this, please use following steps to trust the CA certificate:
1. Open a command prompt or bash where the openssl executable is available (e.g. GIT bash)
2. Navigate to the folder containing the CA certificate, usually '\samples\PKI\CA\private\' inside the JAVA SDK
3. Execute following command to get the subject hash value of the certificate, e.g. '55911d8a':
> openssl x509 -in ProsysSampleCA.der -inform DER -hash
4. Execute following command after replacing <HASH_VALUE> with the value from 3.
> openssl x509 -in ProsysSampleCA.der -inform DER -outform PEM -out <HASH_VALUE>.0
5. You should now have a file named <HASH_VALUE>.0 (e.g. 55911d8a.0), copy that to the 'tls_issuers\certs' folder of your UaExpert PKI store (usually C:\Users\<USERNAME>\AppData\Roaming\unifiedautomation\uaexpert\PKI\tls_issuers\certs)
Now the CA certificate of the JAVA server is trusted and connecting will work.